Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cybersecurity Company Extorted Its Clients, Says Whistleblower

Posted by Soulskill on from the your-computer-is-broadcasting-an-IP-address dept.

An anonymous reader writes: Richard Wallace used to be an investigator for Tiversa, a cybersecurity company that sells services like "breach protection" and "incident response." These days, Wallace is testifying in federal court that Tiversa faked breaches to encourage sales, and extorted clients that weren't interested. For example, Wallace said Tiversa targeted a cancer testing center called LabMD in 2010, tapping into their computers and downloading medical records. Tiversa then used those records as evidence to convince LabMD they had been hacked, offering its "incident response" service at the same time. LabMD didn't fall for it, so Tiversa told the FTC about the "hack." The FTC, none-the-wiser, went after LabMD in court, eventually destroying the business. Wallace has also cast suspicion on reports Tiversa has issued, including one saying President Obama's helicopter blueprints were found on Iranian computers.

13 of 65 comments (clear)

  1. Some guyz in my old neghborhood used to do this by NotDrWho · · Score: 5, Funny

    "Hey, you need us for security protection, otherwise you never know when a break-in might happen, right Vinnie?"

    "Yeah boss, this place *definitely* needs to pay for our security protection."

    "See? You should listen to Vinnie, he's a security expert and shit."

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
  2. The FTC report by YrWrstNtmr · · Score: 5, Informative

    Details here: https://www.ftc.gov/enforcemen...

    That's some messed up stuff. Tiversa needs to be burned to the ground, and their board members in actual jail.

    1. Re:The FTC report by YrWrstNtmr · · Score: 4, Informative

      However, the plot thickens:
      From the Motion to Dismiss: https://www.ftc.gov/system/fil...
      (in part)"In 2008, Lime Wire was found on a LabMD workstation at Internet Protocol address 64.190.82.42 in Atlanta, Georgia. Lime Wire was installed by a LabMD employee, without authorization and in violation of company policy."

      "On May 13, 2008, Tiversa contacted Lab MD, advised that Tiversa had downloaded LabMD's file, but refused to provide any additional information unless LabMD paid Tiversa for "remediation." Over the next two months, Tiversa sent six more sales-pitch emails to LabM0. LabMD, however, declined Tiversa's shakedown."

  3. Tiversa breached systems? by Anonymous Coward · · Score: 4, Interesting

    So Tiversa breached systems to get data from them to show the system owner that they needed their services?

    But if Tiversa did breach those systems, then they did need Tiversa's services didn't they?

    1. Re:Tiversa breached systems? by Pi1grim · · Score: 5, Insightful

      Well, fun fact, if some kid breaches the system and then gives the evidence that system is flawed to the company without demanding any money - than he's a criminal, if a large company does the same, only demanding a large payment for services rendered and subscription to future services - then it's business as usual.

    2. Re:Tiversa breached systems? by Capt.Albatross · · Score: 3, Informative

      So Tiversa breached systems to get data from them to show the system owner that they needed their services?

      But if Tiversa did breach those systems, then they did need Tiversa's services didn't they?

      Yet the linked-to article says "If Wallace is telling the truth, the FTC aggressively prosecuted a company based on bogus evidence."

      The only way I can see the evidence being bogus is if Wallace exploited a position of trust granted to him by the target company, and not even necessarily then. Whatever the truth is, the report is not self-consistent. Apparently, rational analysis and critical thinking are not employed at CNN - but we suspected that, anyway.

    3. Re:Tiversa breached systems? by gstoddart · · Score: 5, Informative

      But, honestly though ... if a corporation is charged in federal court, will they pay a fine, or will someone do jail time?

      Because if the corporation will pay a fine, but a person would get jail time ... that's pretty much what a double standard means.

      So before you go all full-metal asshole on the poor guy, ask yourself, has anybody from a corporation who does this kind of crap gone to jail?

      If doing something on behalf of a corporation means you don't go to jail, there more assuredly is a double standard.

      --
      Lost at C:>. Found at C.
    4. Re:Tiversa breached systems? by Bob9113 · · Score: 4, Insightful

      LabMD may still have had a security problem worthy of investigation. But Tiversa's behavior is the subject of this criminal investigation. If Tiversa only blew the whistle on LabMD after they declined to purchase Tiversa's services, they are arguably engaged in racketeering, and should be prosecuted.

      --
      Stop-Prism.org: Opt Out of Surveillance
    5. Re:Tiversa breached systems? by radarskiy · · Score: 5, Informative

      Tiversa's claim to LabMD was not that LabMD had vulnerabilities, but that LabMD had been breached. Tiversa then claimed to the FTC that LabMD had failed to disclose a breach but did not disclose that the breach was by Tiversa themselves.

      LabMD may have needed the services of a security consulting company. No one needs the services of a lying security consulting company.

    6. Re:Tiversa breached systems? by JWSmythe · · Score: 4, Interesting

      That's probably the biggest reason to have good in-house security people. They don't have a financial interest to make breaches or lie about them. It's in their best interest to keep everything secure, and continue to look for new ways to attempt breaking into their own stuff.

      I've never felt good about letting third parties in to do security testing. When someone above my rank decided to let a 3rd party do external tests, they'll pick anything and make it sound disastrous. One place was bitching about anything.

      They complained that we had the current version of Bind running on the DNS servers. "But people can do DNS requests!" Yup.

      They flagged the fact that we dropped unwanted traffic at the firewall. Yup. Get over it. They were upset it took forever to scan the network. Good.

      They flagged us for having a web server providing static content. They were upset they couldn't find any way to exploit CGIs or do SQL injection. Yup. That was kind of the idea.

      There were a whole bunch of other trivial things that they flagged us for. Then they were brought to the office, and got upset that we didn't provide wifi. Nope, that's a security risk. They wanted to plug their laptop into our network, so they were only given external access. Again, they bitched. But letting an unknown computer owned by an unauthorized party plug into our network is a security risk.

      They eventually gave up trying to bully us into dropping our security precautions and gave us a pass.

      I already habitually ran tests with privileged access to make sure even if all layers of protection failed, nothing really bad could happen.

      Honestly, if they are given everything, they can find something. Give them administrative rights to everything, and credentials to everything, they can find something. Like, email accounts can be accessed with full admin rights. Funny how that works.

      --
      Serious? Seriousness is well above my pay grade.
  4. Theyre creating jobs! by Anonymous Coward · · Score: 5, Funny

    Im off to go smash some windows.

    Its okay though because i work for Window Smashers LLC.

  5. LEO by jythie · · Score: 4, Insightful

    I love how they use awards by law enforcement as an example of them being good actors. One of the old and scary problems in our legal system has always been law enforcement working with really shady companies and protecting them. The fraternal atmosphere tends to leave police departments particularly vulnerable to being scammed, esp when those scams result in things that benefit the department like cash, 'evidence', or validation of existing prejudice.

  6. They reveal themselves ! by redelm · · Score: 5, Interesting

    Hmm ... Iran has blueprints ... sounds bad. But of _course_ they have blueprints of that model helo -- the Shah bought them prior to 1979! Marine One is [usually] a Sikorski VH-3 "Sea King" which first flew in 1959.

    When advocates make inflammatory claims that have innocent explanations, I consider them confidence crooks. They know their best arguments and have made them. Yet another example of lies being more revealing than the truth (so long as you already know it.)